Fast Algebraic Attacks and Decomposition of Symmetric Boolean Functions

Algebraic and fast algebraic attacks are power tools to analyze stream ciphers. A class of symmetric Boolean functions with maximum algebraic immunity were found vulnerable to fast algebraic attacks at EUROCRYPT'06. Recently, the notion of AAR (algebraic attack resistant) functions was introduced as a unified measure of protection against both classical algebraic and fast algebraic attacks. In this correspondence, we first give a decomposition of symmetric Boolean functions, then we show that almost all symmetric Boolean functions, including these functions with good algebraic immunity, behave badly against fast algebraic attacks, and we also prove that no symmetric Boolean functions are AAR functions. Besides, we improve the relations between algebraic degree and algebraic immunity of symmetric Boolean functions.Comment: 13 pages, submitted to IEEE Transactions on Information Theor

A Distinguisher on PRESENT-Like Permutations with Application to SPONGENT

At Crypto 2015, Blondeau et al. showed a known-key analysis on the full PRESENT lightweight block cipher. Based on some of the best differential distinguishers, they introduced a meet in the middle (MitM) layer to pre-add the differential distinguisher, which extends the number of attacked rounds on PRESENT from 26 rounds to full rounds without reducing differential probability. In this paper, we generalize their method and present a distinguisher on a kind of permutations called PRESENT-like permutations. This generic distinguisher is divided into two phases. The first phase is a truncated differential distinguisher with strong bias, which describes the unbalancedness of the output collision on some fixed bits, given the fixed input in some bits, and we take advantage of the strong relation between truncated differential probability and capacity of multidimensional linear approximation to derive the best differential distinguishers. The second phase is the meet-in-the-middle layer, which is pre-added to the truncated differential to propagate the differential properties as far as possible. Different with Blondeau et al.\u27s work, we extend the MitM layers on a 64-bit internal state to states with any size, and we also give a concrete bound to estimate the attacked rounds of the MitM layer. As an illustration, we apply our technique to all versions of SPONGENT permutations. In the truncated differential phase, as a result we reach one, two or three rounds more than the results shown by the designers. In the meet-in-the-middle phase, we get up to 11 rounds to pre-add to the differential distinguishers. Totally, we improve the previous distinguishers on all versions of SPONGENT permutations by up to 13 rounds

Lightweight MDS Generalized Circulant Matrices (Full Version)

In this article, we analyze the circulant structure of generalized circulant matrices to reduce the search space for finding lightweight MDS matrices. We first show that the implementation of circulant matrices can be serialized and can achieve similar area requirement and clock cycle performance as a serial-based implementation. By proving many new properties and equivalence classes for circulant matrices, we greatly reduce the search space for finding lightweight maximum distance separable (MDS) circulant matrices. We also generalize the circulant structure and propose a new class of matrices, called cyclic matrices, which preserve the benefits of circulant matrices and, in addition, have the potential of being self-invertible. In this new class of matrices, we obtain not only the MDS matrices with the least XOR gates requirement for dimensions from 3x3 to 8x8 in GF(2^4) and GF(2^8), but also involutory MDS matrices which was proven to be non-existence in the class of circulant matrices. To the best of our knowledge, the latter matrices are the first of its kind, which have a similar matrix structure as circulant matrices and are involutory and MDS simultaneously. Compared to the existing best known lightweight matrices, our new candidates either outperform or match them in terms of XOR gates required for a hardware implementation. Notably, our work is generic and independent of the metric for lightweight. Hence, our work is applicable for improving the search for efficient circulant matrices under other metrics besides XOR gates

Revisiting Cascade Ciphers in Indifferentiability Setting

Shannon defined an ideal $(\kappa,n)$-blockcipher as a secrecy system consisting of $2^{\kappa}$ independent $n$-bit random permutations. In this paper, we revisit the following question: in the ideal cipher model, can a cascade of several ideal $(\kappa,n)$-blockciphers realize an ideal $(2\kappa,n)$-blockcipher? The motivation goes back to Shannon\u27s theory on product secrecy systems, and similar question was considered by Even and Goldreich (CRYPTO \u2783) in different settings. We give the first positive answer: for the cascade of independent ideal $(\kappa,n)$-blockciphers with two alternated independent keys, four stages are necessary and sufficient to realize an ideal $(2\kappa,n)$-blockcipher, in the sense of indifferentiability of Maurer et al. (TCC 2004). This shows cascade capable of achieving key-length extension in the settings where keys are \emph{not necessarily secret}

On the Immunity of Rotation Symmetric Boolean Functions Against Fast Algebraic Attacks

In this paper, it is shown that an $n$-variable rotation symmetric Boolean function $f$ with $n$ even but not a power of 2 admits a rotation symmetric function $g$ of degree at most $e\leq n/3$ such that the product $gf$ has degree at most $n-e-1$

Moving a Step of ChaCha in Syncopated Rhythm

The stream cipher ChaCha is one of the most widely used ciphers in the real world, such as in TLS, SSH and so on. In this paper, we study the security of ChaCha via differential cryptanalysis based on probabilistic neutrality bits (PNBs). We introduce the \textit{syncopation} technique for the PNB-based approximation in the backward direction, which significantly amplifies its correlation by utilizing the property of ARX structure. In virtue of this technique, we present a new and efficient method for finding a good set of PNBs. A refined framework of key-recovery attack is then formalized for round-reduced ChaCha. The new techniques allow us to break 7.5 rounds of ChaCha without the last XOR and rotation, as well as to bring faster attacks on 6 rounds and 7 rounds of ChaCha

New Collision Attacks on Round-Reduced Keccak

In this paper, we focus on collision attacks against Keccak hash function family and some of its variants. Following the framework developed by Dinur et al. at FSE~2012 where 4-round collisions were found by combining 3-round differential trails and 1-round connectors, we extend the connectors one round further hence achieve collision attacks for up to 5 rounds. The extension is possible thanks to the large degree of freedom of the wide internal state. By linearization of all S-boxes of the first round, the problem of finding solutions of 2-round connectors are converted to that of solving a system of linear equations. However, due to the quick freedom reduction from the linearization, the system has solution only when the 3-round differential trails satisfy some additional conditions. We develop a dedicated differential trail search strategy and find such special differentials indeed exist. As a result, the first practical collision attack against 5-round SHAKE128 and two 5-round instances of the Keccak collision challenges are found with real examples. We also give the first results against 5-round Keccak224 and 6-round Keccak collision challenges. It is remarked that the work here is still far from threatening the security of the full 24-round Keccak family

Specific biomarker mining and rapid detection of Burkholderia cepacia complex by recombinase polymerase amplification

ObjectiveTo mine specific proteins and their protein-coding genes as suitable molecular biomarkers for the Burkholderia cepacia Complex (BCC) bacteria detection based on mega analysis of microbial proteomic and genomic data comparisons and to develop a real-time recombinase polymerase amplification (rt-RPA) assay for rapid isothermal screening for pharmaceutical and personal care products.MethodsWe constructed an automatic screening framework based on Python to compare the microbial proteomes of 78 BCC strains and 263 non-BCC strains to identify BCC-specific protein sequences. In addition, the specific protein-coding gene and its core DNA sequence were validated in silico with a self-built genome database containing 158 thousand bacteria. The appropriate methodology for BCC detection using rt-RPA was evaluated by 58 strains in pure culture and 33 batches of artificially contaminated pharmaceutical and personal care products.ResultsWe identified the protein SecY and its protein-coding gene secY through the automatic comparison framework. The virtual evaluation of the conserved region of the secY gene showed more than 99.8% specificity from the genome database, and it can distinguish all known BCC species from other bacteria by phylogenetic analysis. Furthermore, the detection limit of the rt-RPA assay targeting the secY gene was 5.6 × 102 CFU of BCC bacteria in pure culture or 1.2 pg of BCC bacteria genomic DNA within 30 min. It was validated to detect <1 CFU/portion of BCC bacteria from artificially contaminated samples after a pre-enrichment process. The relative trueness and sensitivity of the rt-RPA assay were 100% in practice compared to the reference methods.ConclusionThe automatic comparison framework for molecular biomarker mining is straightforward, universal, applicable, and efficient. Based on recognizing the BCC-specific protein SecY and its gene, we successfully established the rt-RPA assay for rapid detection in pharmaceutical and personal care products

New Insights on AES-like SPN Ciphers

It has been proved in Eurocrypt 2016 that if the details of the S-boxes are not exploited, an impossible differential and a zero-correlation hull can extend over at most 4 rounds of the AES. This paper concentrates on distinguishing attacks on AES-like SPN ciphers by investigating the details of both the S-boxes and the MDS matrices and illustrates some new insights on the security of these schemes. Firstly, we construct several types of $5$-round zero-correlation linear hulls for AES-like ciphers that adopt identical S-boxes to construct the round function and that have two identical elements in a column of the inverse of their MDS matrices. We then use these linear hulls to construct 5-round integrals provided that the difference of two sub-key bytes is known. Furthermore, we prove that we can always distinguish 5 rounds of such ciphers from random permutations even when the difference of the sub-keys is unknown. Secondly, the constraints for the S-boxes and special property of the MDS matrices can be removed if the cipher is used as a building block of the Miyaguchi-Preneel hash function. As an example, we construct two types of 5-round distinguishers for the hash function Whirlpool. Finally, we show that, in the chosen-ciphertext mode, there exist some nontrivial distinguishers for 5-round AES. To the best of our knowledge, this is the longest distinguishing attack for the round-reduced AES in the secret-key setting. Since the 5-round distinguisher for the AES can only be constructed in the chosen-ciphertext mode, the security margin for the round-reduced AES under the chosen-plaintext attack may be different from that under the chosen-ciphertext attack